After quickly looking through the .pcap, we find two things: a python source file, and a large b64 string (‘2Mk16Sk5iakYx…’)
After extracting both, we looked over the code extracted and see that the string is some encoded with some combination of rot13, base64, and a caesar cipher with shift=3. We see that the first character of the string at any point in decrypting is going to be the cipher by which the following text is encoded, so the problem is incredibly simple. We define
dec_ciphers = [‘rot13’, ‘b64decode’, ‘caesard’]
caesard(s, shift=3) as caesar(s, shift=-shift)
at the end of the extracted python file, and finally create the extraction loop:
This code simply errors out when the flag is hit. Crude but effective.